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General Comments 


BSA | The Software Alliance (BSA)! appreciates the leadership of the Headquarters for the 
Promotion of Digital Society (Headquarters) in driving digital policies to accelerate Japan’s 
digital transformation, including the proposal to launch a Digital Agency. We are encouraged 
that the Headquarters recognizes the critical role of digital tools in responding to societal 
challenges and achieving the vision of a “New Form of Capitalism” that the Administration 
outlined, presenting various digital measures in the recent “Digital Nippon 2022” proposal 
(Proposal). The Proposal’s two pillars — building strong foundation for digital transformation 
and capturing changes to come, including a shift to Web 3.0 from 2.0 — are important 
viewpoints to shape effective digital agenda. A policy foundation that facilitates digital 
transformation while ensuring digital solutions are developed and used responsibly will see 
the greatest economic growth and can strengthen the stability of a society. BSA and its 
members are eager to work with the Headquarters to drive digital transformation initiative and 
look forward to actively collaborating in the future. 


BSA is the leading advocate for the global enterprise software industry before governments 
and in the international marketplace. Its members are among the world’s most innovative 
companies, providing cutting-edge technologies and services that power governments and 
businesses including cloud computing, data analytics, and artificial intelligence (Al). Many of 
BSA’s member companies have made significant investments in Japan, and we are proud that 
many Japanese organizations and consumers continue to rely on our members’ products and 
services to support Japan’s economy. BSA works closely with governments around the world 
on developing digital policies, and based on these experiences, we provide the observations 
and recommendations below to support the Headquarters’ priorities. 


Strengthen Digital Transformation in Government 


We welcome the recommendation in 2.2.1. “Strengthening the Conformity Checks to the 
Digital Principles” under 2.2. “Strengthening Structural Reform of Regulations and 
Institutions”, encouraging the Digital Agency to set three-year intensive reform period starting 


1BSA’s members include: Adobe, Alteryx, Altium, Amazon Web Services, Atlassian, Autodesk, Bentley Systems, Box, 
Cisco, CNC/Mastercam, CrowdStrike, Dassault, DocuSign, Dropbox, Graphisoft, IBM, Informatica, Intel, MathWorks, 
Microsoft, Nikon, Okta, Oracle, Prokon, PTC, Rockwell, Salesforce, SAP, ServiceNow, Shopify Inc., Siemens Industry 
Software Inc., Splunk, Trend Micro, Trimble Solutions Corporation, TriNet, Twilio, Unity Technologies, Inc., Workday, 
Zendesk, and Zoom Video Communications, Inc.. 
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from FY2022 to check the conformity of the existing laws and regulation with the five Digital 
Principles? which are designed to promote active use of robotics, Al, and other technologies 
to replace paper-based and human regulatory actions. 


We were also encouraged to see the proposal in section 2.3.1. “Interface for the Public” and 
2.3.5. “Local Government DX”, under 2.3. “Strengthening Government DX” and support the 
recommendation to review the three-tiered security approach to improve operational 
efficiencies and encourage the adoption of security solutions better tailored to current 
technologies and best practices based on “defense in depth” to more effectively advance 
government operations. We strongly recommend further narrowing the scope and 
circumstances of when physical separation from the Internet is advised as a viable security 
measure. Reducing unnecessary instances of physical network separation and instead 
procuring cloud services that meet appropriate internationally recognized security standards 
will enable governments to enhance government efficiency and the security of government 
networks. Security approaches have evolved rapidly reflecting technological advancement, 
and best security practices have shifted from physical isolation to more risk-based, security 
outcome-oriented practices such as advanced user ID management, Zero trust architectures, 
and implementation of strong data encryption. 


These are positive development, and we support the Headquarters’ direction to further 
facilitate government IT modernization to improve citizen service. 


Set Clear Security Enhancement Requirements 


While we welcome the above, we also have significant concerns with elements of the 
Proposal that could prevent government agencies from adopting innovative and best-in-class 
cloud technologies and services. This includes section 2.3.4. “Cloud Utilization by the 
Government”, which recommends that the Government of Japan (Government) adopt 
“security-enhanced cloud” services in circumstances involving confidentiality class-3 and 
class-3 equivalent information (e.g. sensitive data related to the Government and citizens 
within confidentiality class-2 information) and that domestically produced services be actively 
adopted for “security-enhanced cloud” and monitoring the safety of cloud connectivity and 
network component (supply chain safety). 


We agree that the Government should take a risk-based approach to cloud adoption and that 
workloads involving confidential information should be subject to heightened security 
requirements. However, requirements that limit the Government's ability to acquire cloud 
services based on an objective assessment of security benchmarks will ultimately undermine 
such a risk-based approach. Effective policies should avoid adopting categorical prohibitions 
against the acquisition or installation of technologies simply because they are produced 
domestically. We encourage Headquarters to reconsider the approach in Section 2.3.4. and 
instead, focus on identifying clear and well-defined risk evaluation criteria that are aligned with 
internationally recognized standards, best practices, and certification frameworks. For cloud 
service, these may include recognizing ISO/IEC 27001, 27017 and 27018, and other relevant 


? Digital Principles: digital completion and automation; agile governance; public-private partnership; ensuring 
interoperability; and use of common infrastructure Priority Policy Program Summary (page 12): 


https://www.digital.go.jp/assets/contents/node/basic_page/field _ref_resources/5ecac8cc-50f1-4168-b989- 
2bcaabffe870/20211224 policies priority summary.pdf 
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standards and third-party certifications. The integration of internationally recognized standards 
and other programs in risk evaluation will enable the Government to access the most 
innovative products and competitive prices that are implemented securely. We encourage 
clarifying requirements for enhanced security by referencing internationally recognized 
standards and designate the cloud services that meet these requirements as “security- 
enhanced cloud” rather than basing this determination on whether the service is domestic. 


The Proposal also refers to the impact of the Clarifying Lawful Overseas Use of Data 
(CLOUD) Act in the United States which could be interpreted as a reason for wanting to 
ensure that only domestic private cloud services are used. However, it is important to note 
that the CLOUD Act does not allow unrestricted US government access to data. Instead, the 
CLOUD Act puts in place a new framework to facilitate the execution of international 
agreements on information sharing for criminal investigation purposes between the US and 
other governments.? Such agreements will ensure that information of each government's 
nationals can only be accessed by the other government subject to an agreed-upon set of 
processes and controls. This enhances the safeguards for government access to information, 
rather than compromising the security and protection of the information as the Proposal 
appears to suggest. 


Enable Japanese Businesses to Compete Globally 


Section 3.2.4. “New Businesses (Next-Generation Industries, Startups)” under 3.2. “Change in 
Growth Engine” states that as Ministry of Economy, Trade and Industry (METI) works to 
develop criteria for reliable cloud (termed “Quality Cloud”), requirements to appropriately 
manage confidentiality class-3 information should be specified. It also recommends that 
“Quality Cloud” should be implemented in a domestically produced cloud environment in 
domestic data centers, and the cloud connectivity function that operates and manages 
connections with other cloud environments should also be implemented in a domestically 
produced cloud environment. As mentioned above, rather than evaluating risk from the 
perspective of whether or not cloud services are domestically produced, we encourage an 
approach based on domestic and global standards as well as considering the research and 
investment made to maintain and add the latest security update features. To foster Japan’s 
digital industry, the Government should actively contribute to internationally recognized 
standards and promote them to Japanese companies which will enhance their 
competitiveness in international markets, rather than incentivizing them to design their 
services to meet country-specific procurement requirements. It is also important to note that 
global cloud service providers can support local start-ups, serving as a foundation for scaling 
up this important sector of the economy with low initial costs. To foster a friendly environment 
for start-ups, we recommend avoiding the suggestion that domestically produced services are 
necessarily superior in terms of security or other features. 


Conclusion 


BSA looks forward to working with the Headquarters to support its goal of driving effective 
digital policies. In addition to sharing this recommendation, we would appreciate the 


3 “What is the CLOUD Act?” https://www.bsa.org/policy-filings/us-what-is-the-cloud-act 
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opportunity for a dialogue to better understand the Proposal’s intention and discuss ways we 
can be of further assist in the effort. 
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